Skip to main content

Cyware Threat Intelligence eXchange

Flashpoint

Connector Category: API Feed Source

About Flashpoint

CTIX integrates with Flashpoint to retrieve actionable threat intel related to the latest vulnerabilities, intel reports, and threat indicators. This integration provides access to intelligence reports and technical data to empower analysts with the context they need to make better decisions on risks and cyber threats.

Use Cases

  • Get actionable finished intel reports and the associated indicators from Flashpoint.

  • View the finished intel reports in rich text format in Threat Bulletins. You can also export or email the Threat Bulletins.

  • Analyze the threat intel and vulnerability data received from Flashpoint to uncover associated threat actors and attack patterns.

  • Correlate data received from Flashpoint with other sources to get insights for threat investigation.

  • Prioritize resources based on the observed attack patterns and events.

Benefits

  • Assess risks quickly and take necessary actions.

  • Make timely decisions and reduce the impact of attacks on your organization.

Configure Flashpoint as an API Feed Source

Configure Flashpoint as an API feed source in CTIX to receive indicators, vulnerabilities, and finished intel report feeds from Flashpoint.

Before you Start

  • You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in CTIX.

  • You must have the bearer token of your Flashpoint account.

    Note

    Ensure that the bearer token includes the permissions to retrieve indicators, vulnerabilities, and finished intel reports. If the bearer token does not have permission to retrieve a threat data feed, then the respective feed channel is disabled automatically and displays a connection error.

Steps

To configure Flashpoint as an API feed source in CTIX, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Click Add API source.

  3. Search and select the Flashpoint app.

  4. Click Add Instance.

  5. Enter a unique name to identify the instance name. For example, Flashpoint-Prod.

  6. Enter the base URL of your Flashpoint instance. The default base URL is https://fp.tools/api/v4/.

  7. Enter the Flashpoint bearer token to authenticate communication between the CTIX and Flashpoint servers.

  8. Select Verify SSL to verify the SSL certificate and secure the connection between the CTIX and Flashpoint servers. By default, Verify SSL is selected.

    Note

    Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.

  9. Click Save.

The Flashpoint instance is configured and you can view the Flashpoint feed channels. You can configure multiple instances by clicking Manage > Add More.

Configure Flashpoint Feed Channels

Configure the respective feed channels to retrieve the indicator, finished intel report, and vulnerability feeds from Flashpoint and store the feeds in a collection.

Steps

To configure a Flashpoint channel, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Search and select the Flashpoint app.

  3. Click the ellipsis on the top right corner and select Manage.

  4. Click Manage Feed Channels.

  5. Select a feed channel and enable the toggle.

  6. Enter the date and time to start polling feeds. Select a date within 15 days from the current date.

  7. Enter the name of the collection to group the feed data. For example, FP Feeds. CTIX creates the collection and stores all the feeds from the feed channel.

  8. Select from one of the following Polling Cron Schedule types to define when to poll the data:

    • Manual: Allows you to manually poll from the source collection.

    • Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto.

      • Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.

  9. Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100 respectively.

  10. Select any tags to identify and categorize the feeds.

  11. (Optional) Enable the Broken Connection Retry Policy to allow the CTIX application to re-attempt any failed connection attempts to your Flashpoint account. The system will attempt to connect 10 times.

    • You can enter the retry interval in days, minutes, or weeks and also specify the retry interval and the retry count.

    • Enable Exponential Backoff Entry to progressively extend the wait time between retries for consecutive error responses. For example, for a 10-minute exponential retry interval, the system will re-attempt to connect in 10, 100, 1000, 10000, and so on minutes till the retry count value is met. Use this option to give your system resources some breathing time and resolve any service overload issues.

  12. Click Save.

The feed channel is configured and you can poll feeds from the channel. You can enable the other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.

Flashpoint Feed Channels

CTIX provides multiple channels to poll feeds from Flashpoint. The following table lists all the feed channels and the Flashpoint API endpoints used for each feed channel.

Feed Channel

API URL

Fetch Indicator Feeds

{{base_url}}indicators/event

Fetch Finished Intel Reports

{{base_url}}reports

Retrieve Vulnerability Feeds Data

{{base_url}}all/search